Olympus FW analysis

[mx3]

new topic to host attached tool files to obtain and dissect Olympus FW


update:
fe-210
CPU: seems to be Lexra LX4180 - MIPS R3000-like CPU
OS: RTOS Green Hills
usefull link: Pure Digital / CVS Disposable Digital Camcorder

fw file contains 2 ELFs

[mx3]

x450
fe100
fe110
fe115
fe150 broken link
fe160 broken link
fe170
fe210
fe220
fe270
fe290
fe310
fe320
fe330
fe340
fe350



hm...
first ELF is the same for fe210, fe220, fe270, fe290
is it standart flasher?

fe310's first ELF differs from fe210's one
size of elf is the same

fe310, fe330, fe350 - the same first ELF

[kLOTTiS]

ive had a look through the fe210 firmware and have even found some plain text in one of the files.
what would be the next step? are there any programs that can be used to decrypt them? id really like to start making a modified firmware but dont really know where to start.
also is there a way to reupload the firmware once its modded?

[mx3]

ive had a look through the fe210 firmware and have even found some plain text in one of the files.

there are tons of text

what would be the next step? are there any programs that can be used to decrypt them?

see to link in first post. there must be alot of information for starters

id really like to start making a modified firmware but dont really know where to start.

you need:
- dissasembler
- MIPS tool chain (ELF signature seems very promising)
- would be exelent to find somewhere RTOS sources in peering network
- alot of patience

also is there a way to reupload the firmware once its modded?

I see two ways.
1) I think camera should contain some menu once file is on card
2) it is possible to make fake web server on local machine. overriding IP address of theirs domain name will direct "Olympus Master" to local web server. then update will proceed as usual

[mx3]

also I suggest you to try reflash camera twice using "Olympus Master"
It will show whether it is hard to upload modified file with the same version

[mx3]

SP series: sp310, sp320, sp350
SP-500,  SP-510UZ, SP-550UZ, SP-560UZ, SP-570UZ

CPU: ARM

Flash base address: 0x40000000




FujiFilm cameras S700 (S5700),  S800(S5800), s8000fd have the same Firmware packing structure
and they are ARM powered

same for Nikon E8700, CP3200, CP3700, CP5900, CP7900, CP8400, CP8800

[mx3]

what would be the next step?

- guess memory addresss space configuration (ELFs disassembling)
- find out whether it is possible to run code without firmware modification (ELFs disassembling)

[mx3]

what is TruePic processor?
are there 2 processors in Olympus cameras?
LX4180 - slave to truepic? or truepic is derivative from LX4180?

anybody seen pictures of disassembled Olympus camera with chips visible?

[kLOTTiS]

ive started to try dissasemble it with IDA but am still learning the program

ive put the bin file on the memory card in many locations but no new menus have appeared, and there is no way that i see to update again. i think maybe i might have to somehow change the version of the firmware and then update it with a fake http connection

[mx3]

ive started to try dissasemble it with IDA but am still learning the program

ive put the bin file on the memory card in many locations but no new menus have appeared, and there is no way that i see to update again. i think maybe i might have to somehow change the version of the firmware and then update it with a fake http connection

I don't think "MAster"place file into camera with the same name it got while downloading it

[kLOTTiS]

sorry i dont understand that post i think maybe im tired

[mx3]

sorry i dont understand that post i think maybe im tired

my native language - russian so there are can be my mystakes

I meant You know the name of BIN file how it was downloaded from WEB serer.
Olympus Master places it into camera.
I'm sure it copy it over USB with the name wich is different from original one (FAT system. Long names. it is a hunch)

I'm sure name must be short and the same for different updates.
the only way to found out it - analyse FW file (disassemble it)
anyway we are speaking about "Plan A" - placing modified firmware into camera.
do you have already update file wich you would like to test?

[mx3]

ive started to try dissasemble it with IDA but am still learning the program

it seems olympus uses common EXE format - ELF.
placing it into IDA gives you all information - including DEBUG info.
canon geeks newer had such chance


Update:
IDA disassembled it in two seconds....

PS: I loaded first ELF

[kLOTTiS]

I meant You know the name of BIN file how it was downloaded from WEB serer.
Olympus Master places it into camera.
I'm sure it copy it over USB with the name wich is different from original one (FAT system. Long names. it is a hunch)

I'm sure name must be short and the same for different updates.
the only way to found out it - analyse FW file (disassemble it)
anyway we are speaking about "Plan A" - placing modified firmware into camera.
do you have already update file wich you would like to test?

oh yes ok i understand now, would it help formatting it to fat32 or will that not make a difference? i dont think it will because as you say olympus master will rename it to something shorter to update.

i do not have an update to test yet though, i was just thinking ahead incase we cant reupload it. because if we cant reupload it theres no point modifying it

[mx3]

unpacker attached